Regulatory oversight threatens to undermine potential of Open Banking

The central intention of PSD2 was to define common standards across the EU, and get rid of bilateral agreements.

The ‘nirvana’ that is painted as the end result of Open Banking is a world of increased competition beyond banks, a complete overhaul of the assumed value chain and business models, and customer satisfaction with real-time, personalised banking products, as part of an experience designed around them.

So far, so good. However, differing interpretations of Open Banking across Europe threaten to stall its progress, limiting FinTech innovation, and undermining the consumer confidence that will be critical for the new framework to have its desired impact.

Standing alone

It is noteworthy that the UK is the only nation of all the EU member states to have an Open Banking Implementation Entity. Meanwhile, countries such as France and Ireland – who have made no secret of their desire to take advantage of Brexit to try and lure British businesses across the channel – have written PSD2 straight into their rulebook. This is a significant competitive play, and will be attractive for innovative FinTech firms looking to take advantage of Open Banking APIs to provide new services – without the extra layer of complication that the FCA has added in the UK.

Financial Conduct Authority– a regulatory oversight

It goes without saying that this new landscape will bring more and different types of businesses into the ecosystem. One such business type is an AISP (“Account Information Service Provider”)– a business which, with a customer’s consent, provides account aggregation services across different banks, giving consumers a single view of their payment accounts in one single portal.

The FCA has decided to use a much more restrictive definition of an AISPthan had been previously set out both by the European Union institutions under PSD1 and also by HM Treasury in The Payment Services Regulations 2017 – and a definition which is at odds with that used across other EU member states.It stipulates that only consumer-facing companies can be defined as an AISP. This means that data aggregators, which supply these FinTech apps with data are not regulated, despite the vast amounts of consumer-permissioned data they handle and have access to.

In addition, the Open Banking Implementation Entity (OBIE) only allows companies registered with the relevant regulatory authority (the FCA in the UK), to directly access Open Banking APIs in the long-term. Without this direct access, third party providers must register such companies as their ‘outsource provider’ so they can gain access to the Open Banking APIs indirectly. This decision and process has surprised many within the Third Party Provider community, who have generally expected that the aggregators would be subject to regulatory oversight.

Liability questions will undermine confidence

The FCA’s failure to regulate this swathe of the market has a range of possible consequences for the consumer. With 10,000 new people each week using apps that are enabled by Open Banking, it’s a major concern that – in the event of a data breach with an aggregator – consumers would not be able to hold that company liable. Instead, they would be entirely dependent on any provisions included in the liability agreement between the FinTech applications they use and the unregulated aggregator where the breach took place.

Consumer confidence and trust in the Open Banking initiative is the backbone of the success of the entire initiative. Needless to say, this regulatory oversight brings the potential to undermine this. If a significant data breach were to take place and consumers were denied adequate protections, it is difficult to see Open Banking – and the services it enables – becoming widely adopted. The data sharing aspect of Open Banking is already a primary concern for consumers – recent research by Accenture found that 85% of those asked said the fear of fraud would put them off sharing data, and 69% said they would not share financial data with businesses that were not banks.

Calling for regulatory reform

With this in mind, it is our collective industry responsibility to ensure that any loose links in the chain are ironed out. The FCA has already proposed some revisions to the regulation, though have so far missed the opportunity to extend the definition of an AISP to include non-consumer facing data aggregators.

Among the original objectives of PSD” were to “make payments safer and more secure” and to “protect consumers”, while Open Banking promised to ensure that customers can “share their data securely.” We have to ensure that there are the dispute resolution mechanisms in place to guarantee that consumers will be protected and made whole in the event of an aggregator breach. Without holding true to this, we fail the potential of the concept, and most worringly, consumers.